W3C Web Security Workshop Report

W3C held a workshop on 'Transparency and Usability of Web Authentication' 15-16 March 2006, in order to identify steps W3C can take to improve Web Security from the user-facing end of the spectrum. Most workshop participants came from the security and browser vendor community, such as Google, HP, IBM, KDE, Microsoft, Mozilla, Nokia, Opera, VeriSign, Yahoo!, etc., as well as leaders of the online finance actors.

Workshop participants.

The workshop program was structured into seven sessions and an open discussion of next steps. Participants considered shortcomings in the usability of current browser-based authentication technologies. Requirements for and limitations of possible improvements were also presented by a number of speakers. Approaches for concrete improvements included leveraging (secure) metadata; a number of proposals for changes to browser user interfaces and behaviors; protocol changes; and new approaches to identity online.

Based on the discussions, W3C staff is currently engaging those present at the workshop and other W3C Members in discussions that may lead to Working Group charters in three areas: Form-filler support; Secure Chrome; and Secure Metadata.

'Form-filler support' would enable browsers to reliably recognize log-in forms. This ability would allow browser-side credential management that is more reliable and usable than current heuristics-based form filling mechanisms. Browsers could also use this capability to launch advanced and security-focused user interfaces for credential entry.

Work on secure chrome and secure metadata would identify a baseline set of security context information that should be presented to the user, and best practices for the display of this information to the user. Work in this area may also cover restrictions on scripting capabilities that are known to make faking security indicators particularly easy.

The workshop, hosted by Citigroup, was chaired by Dan Schutzer (FSTC) and Thomas Roessler (W3C).